Paul's Security Weekly

This week Dr. Doug talks: NarcBots, Blacktech, ZenRat, Chrome, CISO Churn, lots of privacy issues, Aaran Leyland, will Dr. Doug drink the Y3K Special Edition Coke? And more on this edition of the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-329

This week, First up its the Security News: libwebp or die: we unravel some of the details behind the webp vulnerability first fixed by Apple and Google, then, hopefully by everyone else, attackers can steal your pixels using your GPU, someone cough China cough has been hacking Cisco routers, Kia boys are still a problem, How the Cult of the Dead Cow plans to save the internet, how iOS updates could break glucose monitors, spamming the CVE database, and when a medium is really a high! Just what are the right skills to have or acquire to work in cybersecurity today? Kayla and the Security Weekly crew talk about it in this segment. We also touch on why we get burnt out and how to avoid it, all in anticipation for SOC Analyst Appreciation Day! This segment is sponsored by Devo . Visit https://securityweekly.com/devo to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.c

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

This week Dr. Doug talks: The Year 3000, Sandman, ShadowSyndicate, National Student Clearing House, Apple, Predator, Xenomorph, Mixin, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-328

In this episode, we interview Jake Wilson, Western Governor University's Security Awareness Evangelist. We'll learn about how he built up and matured WGU's security awareness program, eliminating blind spots, and improving efficacy through data analysis and better reporting. This segment is sponsored by Living Security. Visit https://securityweekly.com/livingsecurity to learn more about them! This week in the leadership and communications section: building a feedback-driven culture, letting go of the reins, 25 hard-hitting lessons from 17 years in cybersecurity, and more! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-321

Forrester Research releases a few annual reoccurring cybersecurity reports, but one of the biggest that covers the most ground is the Security Risk Planning Guide, which was recently released for 2024. One of the report's 17 authors, and research director, Merritt Maxim, will walk us through the report's most interesting insights and highlights. This is going to be considerably interesting considering some of this year's trends impacting security teams: An economic downturn, resulting in layoffs and budget freezes The widespread proliferation of generative AI technology The relentless and resilient nature of cybercrime, despite some notable law enforcement wins Ongoing discussion about the role and relevance of SOCs, CISO's, as well as the security department place in today's enterprise Increased enterprise reliance on SaaS and Cloud, as vendors and service providers continue to struggle with securing their products and services If you've ever played Dungeons & Dragons, you probably know that the qualit

This week on the Security Weekly News: Passkeys, bots, hotels, conning the con, TrendMicro, Pizza, Aaran Leyland, & more! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-327

Nathan comes on the show to discuss LLMs, such as ChatGPT, the issues we face today and in the future. Learn about prompt injection attacks, jailbreaking, LLMs for threat actors, and more! In the Security News: LVFS is not a backdoor, attackers are in physical proximity, when you need to re-cast risk, oh Fortinet, pre-installed backdoors again, deep down the rabbit hole, the buffer overflow is in your BIOS!, what is 345gs5662d34?, a cone is all you need, we are compliant because we said so but we lied, 10 years of updates, Microsoft looks at ncurses and finds bad things, they also lost 38TB of data (Microsoft that is), when MFA isn’t really MFA, China and Russia are cyber attacking things, and MGM and Caesars are in hot water, All that and more on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.co

The majority of attacks are now automated, with a growing number of attacks targeting business logic via APIs, which is unique to every organization. This shift makes traditional signature-based defenses insufficient to stop targeted business logic attacks on their own. In this discussion, Karl Triebes shares how flaws in business logic design can leave applications and APIs open to attack and what tools organizations need to effectively mitigate these threats. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! In the news segment, a slew of XSS in Azure's HDInsights, CNCF releases fuzzing and security audits on Kyverno and Dragonfly2, CISA shares a roadmap for security open source software, race conditions and repojacking in GitHub, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com

This week Dr. Doug talks: SprySocks, Lazarus, Fortinet, Juniper, CISA, Transparent Tribe, AI Art, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-326

This week Dr. Doug talks: Cyberdog, Pegasus, Webex, Peach Sandstorm, SAP, Caesar, Penn State, Aaran Leyland, and More News on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-325  

Organizations still struggle with DDoS, ransomware, and personal information exfiltration. In order the prevent these attacks, we first need to understand the ‘types’ of DDoS and emerging threat techniques used by the adversary. In this interview, we explore these attacks in the context of edge computing. As edge computing use cases evolve, organizations need to understand the intersection of edge computing, networking, and cybersecurity. We discuss the risks associated with edge computing, the controls that can mitigate these risks, and how to plan for implementation, including security budgeting. Segment Resources: https://www.akamai.com/blog/security/defeating-triple-extortion-ransomware This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them! In the leadership and communications section, Board Members Struggling to Understand Cyber Risks, Cybersecurity Goals Conflict With Business Aims, Navigating Change: The Essence of Agile Leaders

Discussing ways to ensure client success with MDR and discuss the ways organizations hurt MDR efficacy with overly broad global exclusions, poor deployment practices, and poor policy hygiene. This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! We talk to Chris Sanders today, who has been steeped in the world of SecOps and detection/response for many years. After many years of writing books and training folks in the cybersecurity industry, he started delving into cognitive psychology and educational effectiveness. He leverages this knowledge in the training classes he builds and delivers. Today we'll discuss why it seems like defenders are still failing, despite the security industry largely (and arguably) receiving the resources it has been requesting. In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and s

Ryan has his finger on the pulse of ransomware and response. We discuss how the initial infections are occurring, how they've changed over time, and where they are going in the future! Segment Resources: For folks to see my recent presentations: for528.com/playlist For folks to see the recordings of our recent Ransomware Summit: https://for528.com/summit23 For folks to watch my recent (free) ransomware workshop: https://for528.com/workshop23  Materials: https://for528.com/workshop Lots in the Security News this week. Stay tuned! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw Show Notes: https://securityweekly.com/psw-798

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code. Segment Resources: - https://www.zaproxy.org/  - https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/  - https://owasp.org/www-project-vulnerable-web-applications-directory/  In the news segment, a key compromised from a crash dump (and the many, many lessons that followed), more examples of mishandling secrets, URL parsing mismatches show path traversal works well in Rust, an old Linux kernel bug shows how brittle code can be (even when it's heavily audited), an example of keeping OSS projects alive, a quick note on BLASTPASS, and a look at privacy in cars, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.co

This week Dr. Doug talks: Mopria, Cisco, Seimens and Schneider, Word, AP Stylebook, DarkGate, GitHub, Chrome, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-324  

Managing identities continues to add complexity for granting access to enterprise resources. Between the increasing number and expanding types of identities, including carbon-based, silicon-based, and artificial identities, and the evolution of cloud computing and remote work, managing the perimeter is now an identity problem. What risks do each of these identity types pose and how do you mitigate them? Jeff Reich, Executive Director at Identity Defined Security Alliance (IDSA), joins us to discuss the challenges of digital identities, how to discover risk with digital identities, and how best to mitigate those risks. Segment Resources: IDSA's 2023 Trends in Security Digital Identities: https://www.idsalliance.org/white-paper/2023-trends-in-securing-digital-identities/ Securing Your Remote Workforce Through Identity-Centric Security: https://www.idsalliance.org/white-paper/securing-your-remote-workforce-through-identity-centric-security/   In the leadership and communications section, The importance of CISO

Doug talks with Chat GPT in an interview format just to see what having a conversation with the AI is like. It even gets around to asking Chat GPT the famous six questions from Paul's Security Weekly. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly \Show Notes: https://securityweekly.com/vault-swn-4 

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on November 18, 2022. This segment will focus on (1) Why Did Sephora Get Fined $1.2M and Why Are They on Probation? (2) Why Data Privacy is Being Overhauled in 2023 (and How You Can Be Ready) Segment Resources: https://www.consumerreports.org/electronics-computers/privacy/i-said-no-to-online-cookies-websites-tracked-me-anyway-a8480554809/  https://www.geekwire.com/2022/the-bittersweet-serendipity-that-gave-these-two-startup-leaders-a-shared-mission-in-online-privacy/ https://www.boltive.com/blog/why-having-a-consent-management-platform-is-not-enough https://www.boltive.com/blog/bracing-for-2023-privacy-laws https://ceoworld.biz/2022/07/03/three-ways-your-data-is-leaking-in-advertising-and-how-to-avoid-it/   Show Notes: https://securityweekly.com/vault-esw-4  Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  

Check out this interview from the PSW Vault, hand picked by main host Paul Asadoorian! This segment was originally published on February 4, 2013. Dr. Spafford is one of the senior, most recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cybercrime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies... [With] over three decades of experience as a researcher and instructor, Professor Spafford has worked in software engineering, reliable distributed computing, host and network security, digital forensics, computing policy, and computing curriculum design. Dr. Spafford is a professor with an appointment in Computer Science at Purdue University, where he has been a member of the faculty since 1987. Spaf's new book, Cybersecurity Myths and Misperceptions, is available at https://informit.com/cybermyths  Visit https://www.securit